eLearnSecurity - IHRPv1 - Incident Handling and Reponse

securityorc · July 2019

They describe their 9 labs here: https://www.elearnsecurity.com/course/incident_handling_response_professional/

They shot themselves in the foot with this one, all that marketing and the end product doesn't deliver on the promises. If they didn't sell it as the most advanced IR course in the world with tons of content, video and labs, they wouldn't have generated all this disappointment.

I'd say this course is suitable for training L1 / L2 SOC analysts, but it's really expensive for what it has to offer. Building a lab would have a much higher ROI in my opinion.

SleepyLCTL · July 2019

My main criticisms are:

- no memory forensics. The EDR addition should have opened up this option, but they're probably saving it for a dedicated course
- no AD. In the most advanced incident response course of the world, you're looking at standalone hosts. I did not expect this. There are sections going over event logs and the like, but this is where the labs needed to shine! Go over lateral movement in the enterprise, compromised DCs, attacks against Exchange, AD recon, all these practical bits that are relevant to a modern enterprise environment are missing from the labs.

@SleepyLCTL - How did you find the PTX content? In retrospect, and after reading other reviews, that one or the Threat Hunting course might have been a better choice for me.

Hi, I agree with you. Regarding PTX, I haven't gone thru it yet, just checked the content. In comparison, PTP is needed fundamentals and core of ELS. PTX is just an ad-don, I feel like this course is not supposed to be something like ... comprehensive PTP but advanced, but more something some some nice tips how do something what is really kinda difficult to find online in a simple form (phishing part).

In terms of money, as I got IHRP and PTX generally 2in1, it's good stuff and it gives a value, however I don't recommend buying PTX. It's good, however... not good enough. But maybe I am just too spoiled.

SleepyLCTL · July 2019

Later on, I will maybe start a thread about ELS. I think I have seen enough of their content to do a proper review. The most important thing, which is related to IHRP - the reason why I bought IHRP, I was looking for a ways, how to find a malware in endpoints, some IoC and stuff. More less content of SOC T2/T3 ... the funny part was, that I had a chance to sneak peak to Threat Hunting, which is exactly, what I was missing in IHRP.

And this is the most important message of this topic - ELS, got spoiled. PTP started as a single course, which had over ... I think 6k slides, brutal knowledge inside. However this concept is probably not good for business. What they did, they took one topic (SOC stuff) and divided to into Threat Hunting, which is missing esentiaosl of SIEM etc, and IHRP which is missing also stuff. Long story short, they are gold-diggers, tries to create as many as possible courses to milk the customers. No, they did not forget to add the most important info, they just moved it somewhere else. Do you want to have full picture? Buy THP, maybe IHRP and and everything what comes next.

They basically took PTP and created an amazing course about offensive stuff, then took defensive stuff and separated it to quite expensive courses, which sucks separately, but would excel together.

It's also fascinating, the courses, by this set up, should be like a puzzle, put together, and get ultimate value. BUT, in every course, in PTP, in PTS, in THP and IHRP... you find multiply described fundamentals of networking, which is only being recycled.

jeremy_dfir · July 2019

I have just started studying IHRP after being an Incident Handler and (light) Digital Forensics guy for some years now. Unfortunately, being a coordinator, triaging head and sometimes doing the "logistics" of each incident caused me to be behind the latest attacks. Thankfully my company was kind enough to fund both IHRP and PTX so that I become more relevant and up-to-date.

I doubt i am good enough for PTX (since i am a blue team guy), but i am very satisfied with IHRP. I love the tactical analytics approach. Never seen a course that combines a good level of traffic analysis with tactical analytics.
It's like SANS 503 + 504 + 555 all in one course. I am not very objective though, i already have eCDFP and eCTHP.

I agree that eLearnSecurity is getting expensive though. I wouldn't be able to buy those two courses by myself for sure.

new2Sec · July 2019

That seems to be their business model over the past couple of years. No real direction. No webinars. No employees.

They probably want break up PTS/PTP to junior pentester, advanced junior pentester, junior associate pentester, associate pentester, junior professional pentester, and finally, professional pentester.

$2k each, with 2 labs each. LOL

they r joke.

securityorc · July 2019

I agree that their business model revolves more around making money than delivering quality results. I haven't tried their offensive courses, but on the blue team side, a really comprehensive course would have been a combination of their forensics, threat hunting, reverse engineering and incident response courses. Real IR involves aspects of all the above + more. I've also wore multiple hats during my IR experience and I would consider it completely lacking for someone in the field to only have limited knowledge on one facet, and be ignorant of the rest. The difficulty and beauty of security is that it combines knowledge and skills, it's not a specialization bubble where you can thrive knowing only one thing.

And another thing, let's be serious, if they're claiming that they're so much cheaper than SANS, well they're nowhere near SANS in terms of quality. And on the offensive side, their direct competitor is cheaper, as well as worlds apart. I'm referring to Offensive Security here. They could have gained notoriety and become a major player by following a long-term strategy, but they went for the money first.

ConstantSage · July 2019

I have done the PTS course and enjoyed it but I am more interested in blue team. After reading through this thread it seems like most people have come away slightly unimpressed with the courses eLearnSecurity is putting out. That being said, could someone recommend a decent alternative? I'm mainly looking for a lab environment with some instruction mixed in. A home lab is not an option for me right now due to space limitations primarily.

SleepyLCTL · July 2019

ConstantSage said:

I have done the PTS course and enjoyed it but I am more interested in blue team. After reading through this thread it seems like most people have come away slightly unimpressed with the courses eLearnSecurity is putting out. That being said, could someone recommend a decent alternative? I'm mainly looking for a lab environment with some instruction mixed in. A home lab is not an option for me right now due to space limitations primarily.

I can honestly recommend you PTP, as it's a great course. However, stay away from the blue ones. From my perspective, PTP > OSCP, as it gives you similar results, but PTP is applicable, where OSCP is throwing exploits to boxes and being "hacker", which nowadays - does not exist.

Also I would recommend you these: https://www.pentesteracademy.com/ heart it's good, however not tested.

And nowadays, if you want to be a pentester - web apps are majority, must know - you can start here. https://portswigger.net/web-security

And as 90% pentests do not go over OWASP TOP 10 - learn about tests mentioned in: https://www.owasp.org/index.php/Top_10-2017_Top_10 AND https://www.owasp.org/index.php/Testing_Checklist older but must know the principles.

Generally, you have to almost master webapps, as above (Web App Pentester handbook very helpful) then know stuff handled in OSCP and PTP like exploits, metasploit, HOWEVER no one does this manually nowadays >>> vulnerability management rather learn about nessus, qualys, openvas. And maybe learn about Android hacking, like drozer, cert pinning, and these kind of stuffs... And it's almost free

sil3nt_n1nja · July 2019

I have been an offensive security fanboy from the beginning of my career. I recently persuaded my company to buy IHRP for me. I was really interested to witness first hand how the attacks i usually execute get detected. I may have to conduct two different pentests in a week, so i never had time to search online what traces i leave behind. I have no intention of obtaining the eCIR certification, but the course didn't disappoint at all. I would recommend it (especially if your company can buy it for you

the salaries around here suck big time)

securityorc · July 2019

ConstantSage said:

I have done the PTS course and enjoyed it but I am more interested in blue team. After reading through this thread it seems like most people have come away slightly unimpressed with the courses eLearnSecurity is putting out. That being said, could someone recommend a decent alternative? I'm mainly looking for a lab environment with some instruction mixed in. A home lab is not an option for me right now due to space limitations primarily.

Not a course per se, but have a look at https://www.enisa.europa.eu/topics/trainings-for-cybersecurity-specialists/online-training-material

They guide you through the lab setup and it looks to be minimal in terms of resource usage. I've only recently started going through their stuff, I'm at the artefact analysis fundamentals part, so still have a long way to go, but I must say they look impressive for a free resource.

flamecopper · December 2019

Skyyyyy2001 said:

SleepyLCTL said:

SexyLemur said:

@SleepyLCTL wait they credited you for a different course? I was going to ask to get credit to take the ecppt instead.

I asked for refund, did not get that, however he offered me with an alternative to choose something else. I chose ecpx as I already have ecppt. I find it fair.

I have done the same as well and ask for a refund or change to another course and I'm a very unhappy customer at this point in time.

I hope Armando is looking at this thread.

Yes, I was also offered something to swap as well. But for another course. May I know if the price has to be the same?

jeremy_dfir · February 2020

Just got my eCIR cert. What a crazy exam that was!!! For anyone taking the course, make sure you read literally everything. You will have to combine everything to figure out the attack path. If I find some time I will post a detailed review...

chrisone · February 2020

jeremy_dfir said:

Just got my eCIR cert. What a crazy exam that was!!! For anyone taking the course, make sure you read literally everything. You will have to combine everything to figure out the attack path. If I find some time I will post a detailed review...

Wow congrats! please write up a review of your experience, the time you spent, any additional material, how you feel now about passing the exam, and what your next goals are.

Thanks and I am very happy to hear your about your success!

jeremy_dfir · February 2020

Thank you @chrisone . I will definitely try to review the whole course and post here.

dirtscout · February 2020

Man, I wish I would've found this forum before I bought IHRP and DFIR. They don't offer refunds either so I hear, even if content hasn't been opened. But are there any competitors besides sans that can offer a decent course and certification? If so I most definitely did not do my research correctly. I'm really disappointed. Hoping I will get a decent foothold on SOC/Incident Response at the very least. Cert is a piece of paper, I was hoping to bring qualiy base knowledge to ny first position.

chrisone · February 2020

I wouldn't read too much into the reviews you may have come across this post. No disrespect to the viewpoints that were given here but they were quick assessments based off the syllabus and a day or two of looking at the slides. I don't know these persons personally, but they could be highly experienced blue teamers and looking at this content probably was unimpressive.

I would focus on reviews from people who have finished the entire course or possibly the cert. They would have a better honest review of things, coming from either a rookie or veteran perspective.

TimBaker · March 2020

jeremy_dfir said:

Just got my eCIR cert. What a crazy exam that was!!! For anyone taking the course, make sure you read literally everything. You will have to combine everything to figure out the attack path. If I find some time I will post a detailed review...

Hi @jeremy_dfir, when are you going to provide us with your detailed review?

dirtscout · March 2020

As I get deeper into the course it seems a lot better than my first impressions. My original post was probably a bit of sticker shock built in there. I think eLearn shines with the labs, DFIR and IHRP. They really do help reinforce the material. So far so good.

Luckily I am now a Threat Intelligence Group Analyst with a great company that's all about training "apprentices". Have a great mentor and team to grow with. They love eLearn, so I am lucky to be able to expense the cost (if I pass)

TimBaker · March 2020

dirtscout said:

As I get deeper into the course it seems a lot better than my first impressions. My original post was probably a bit of sticker shock built in there. I think eLearn shines with the labs, DFIR and IHRP. They really do help reinforce the material. So far so good.

Luckily I am now a Threat Intelligence Group Analyst with a great company that's all about training "apprentices". Have a great mentor and team to grow with. They love eLearn, so I am lucky to be able to expense the cost (if I pass)

Glad to learn that your investment in IHRP is useful. I mean its always hard to pass the discounts offered to old students.

Do you think you'll be doing the exam soon? How far have you gotten into the material?

I only just started reading the material, I feel as if I'm a bit slow with it but don't want to miss important details.

dirtscout · March 2020

I am about a quarter of the way through, my days have been a lot more busy. Make sure you have the slides/material open as you work through the labs, it really has helped me out. My goal is to get the exam in by the end of May, but that might not happen if my schedule doesn't slow down.

TimBaker · March 2020

dirtscout said:

I am about a quarter of the way through, my days have been a lot more busy. Make sure you have the slides/material open as you work through the labs, it really has helped me out. My goal is to get the exam in by the end of May, but that might not happen if my schedule doesn't slow down.

Yeah, I reckon it'll be a busier time for threat and SOC analysts since everyone's focused on the Rona. Thanks for the tip, not a bad idea to pace yourself. Will work on completing the material and labs by the 3rd-4th week in April. It'll be great if there's a study group. This is not my primary line of work so rubbing minds will be helpful.

dirtscout · March 2020

Tim there are some great Discord servers to brain storm at. Check out The Cyber Mentor on YouTube for a server invite. They have a very active, and fun, community. And a lot are taking eLearn certs. Whether it's on the offensive or defensive side.

chrisone · May 2020

Small bump, I will be taking the eCIR exam on the following weekend May 16-17.

In all honesty the material is pretty good, I have been enjoying it. There is a lot to learn here, I am 3/4's done with the content. That is all I will say for now, since I am not entirely done with the content and do not want to comment prematurely on the overall experience. I will have a full review that week depending if I get my results that same week, I would like to also share a spoiler free testing experience, along with the results (pass or fail).

Sigh .... I still owe you guys a VHL and OSCP review lol

TimBaker · May 2020

chrisone said:

Small bump, I will be taking the eCIR exam on the following weekend May 16-17.

In all honesty the material is pretty good, I have been enjoying it. There is a lot to learn here, I am 3/4's done with the content. That is all I will say for now, since I am not entirely done with the content and do not want to comment prematurely on the overall experience. I will have a full review that week depending if I get my results that same week, I would like to also share a spoiler free testing experience, along with the results (pass or fail).

Sigh .... I still owe you guys a VHL and OSCP review lol

Dude, you are on a roll this year! Hats off to you! I'm done with the IHRP content, blazed through but I honestly have to re-read and practice the labs again.

The content is definitely useful. There are areas where they repeated stuff that you'd find in their other courses and there are areas where they could have provided more details but instead tried to condense the content. Although the case studies covered in the lab are very much covered in the slides I feel as if they didn't place them after the most relevant chapters to achieve optimal learning.

Overall it is a very good course if you focus on the new things to learn and I can already tell the exam will be challenging from going through the material and from some reviews I've seen.

I read this guy's review and I think it might be helpful.

https://haydz.github.io/2020/04/20/elearnircert.html

chrisone · May 2020

Thanks @TimBaker

I did notice topics coming from other courses but that is 100% needed and proves this course is on a deeper level. I was glad they went into red team techniques and describe a lot of the windows AD red team TTPs focus on. Thank you for the link, the review was spot on and I agree 100% with the author.

I am done with the content slides and wrapping up the Splunk and ELK labs today. With that said I will start building my **** sheets of queries\syntax, methodologies, pcap analysis\wireshark filters, windows event IDs, etc. I will also be practicing and doing the labs over and over again for the next 8 days until I start the exam.

The course is good, even if you are a tier 2-3 analyst\incident responder\security engineer. The course is amazing if you are just getting into cyber security analyst positions. If you were to cover the same topics using SANS courses, it would cost you a fortune as you would need to take the following

SEC450: Blue Team Fundamentals: Security Operations and Analysis

SEC455: SIEM Design & Implementation

SEC503: Intrusion Detection In-Depth

SEC504: Hacker Tools, Techniques, Exploits, and Incident Handling

From a generalized high level view, Yes the IHRP course covers mostly what these courses cover.

I hear people complain about death by slides....but isnt that technically what SANS courses mostly are? Physical books of slides? Yes they have VMs and labs, but so does elearn and to balance this stand off, the SANS tests are multiple choice questions as opposed to a live active hands on test that elearnsecurity tests you on, plus a report. Sorry for the quick rant and I get it these are trigger\fighting words for some hahaha

kdougl1990 · July 2020

chrisone said:

Thanks @TimBaker

I did notice topics coming from other courses but that is 100% needed and proves this course is on a deeper level. I was glad they went into red team techniques and describe a lot of the windows AD red team TTPs focus on. Thank you for the link, the review was spot on and I agree 100% with the author.

I am done with the content slides and wrapping up the Splunk and ELK labs today. With that said I will start building my **** sheets of queries\syntax, methodologies, pcap analysis\wireshark filters, windows event IDs, etc. I will also be practicing and doing the labs over and over again for the next 8 days until I start the exam.

The course is good, even if you are a tier 2-3 analyst\incident responder\security engineer. The course is amazing if you are just getting into cyber security analyst positions. If you were to cover the same topics using SANS courses, it would cost you a fortune as you would need to take the following

SEC450: Blue Team Fundamentals: Security Operations and Analysis
SEC455: SIEM Design & Implementation
SEC503: Intrusion Detection In-Depth
SEC504: Hacker Tools, Techniques, Exploits, and Incident Handling

From a generalized high level view, Yes the IHRP course covers mostly what these courses cover.

I hear people complain about death by slides....but isnt that technically what SANS courses mostly are? Physical books of slides? Yes they have VMs and labs, but so does elearn and to balance this stand off, the SANS tests are multiple choice questions as opposed to a live active hands on test that elearnsecurity tests you on, plus a report. Sorry for the quick rant and I get it these are trigger\fighting words for some hahaha

Did you end up taking the exam? What did you think about it?

chrisone · July 2020

Hi @kdougl1990
Yes I took the exam back in May and passed. I thought the course and the exam were really well done. It will bring up any new blue teamer up to speed on many factors a good team member should have. It is well rounded, as mentioned above, covers blue team fundamentals, SIEM (Splunk & ELK), intrusion detection and analysis, hacker TTPs, and incident handling, methodologies.

Basically the goal of this course is to have you fully analyze an incident and understand , the who, what, where, how, and provide all the evidence of everything and everywhere the attacker touched.

I will write a full review soon. Just been really busy with other certs and life right now.

kdougl1990 · July 2020

Thanks @chrisone appreciate the response. I just knocked out WAPT and ECPTP and have been very interested in trying one of the blue team certs. I've been looking through a few forums and the general consensus I have come across is that most have been disappointed with the course content. It has made me consider skipping IHRP all together and going with THP, and maybe taking a chance on Security Blue Team's newly launched Blue Team Level 1 cert.

chrisone · July 2020

Thats cool. I am actually taking WAPT exam right now lol

A lot of IHRP reviews I saw were from people who "haven't finished" or gone through the entire course. Either they just looked at the number of labs or browsed the syllabus. Another factor I saw was that these reviews anticipated a course with Incident Response & Threat Hunting all together. I have done most of the THPv2 course PDFs, that course has been really good so far.

Regarding the BTL1 course, looking at the syllabus there wasn't much of any threat hunting at all. I felt it was teaching pretty much the same concepts and idea of the IHRP. I am sure BTL will be a good series of courses.

I could see BTL2 and BTL advanced having more threat hunting similar to what THPv2 has.

secureckb · September 2020

u1tras said:

Just checked out last year's discounts from eLS. There was about 40% off for the new launched THP course and $200 gift card for other courses. Hope they'll repeat it again:)

did you like the THP class? Im taking it right now

eLearnSecurity - IHRPv1 - Incident Handling and Reponse

Comments